Squid "replicating" itself inside Status–>Services

Veni

I have been running 1.0.1-SNAPSHOT-03-18-2007 built on Thu Mar 8 22:14:44 EST 2007
for 14h 51m. I did a full reinstall with the help of the ISO.

I just got several email-notices from my syslog server informing me of syslog entries that
do not appear on my "Allowed" list, thus forwarding them to my email box.

When looking inside Status –> Services i did not quite get it why something like this would happened:
Squid appears 8 times as a service(see attached image file).

And i'm not quite sure why i see a alert about:

"New alert found: The squid package is missing required dependencies and must be reinstalled.
Mar 10 05:19:34 php: : Beginning package installation for 0.

I have not touched squid settings, nor installed anything on pfSense since i did a full reinstall and restore of
settings with the help of the backup file.

At the time there is only my computer using squid for browsing and i was browsing the web at
the time the alerts came in. I did notice that Snort had flushed it's blocked list, but
it appears to be working because it has registered that it has blocked some new fresh ip's.

I did not notice any downtime on the WAN. Traffic Graph and RRD Graphs show no drop at all in WAN traffic.
Aside from the warnings that came to the syslog server, at this time there is only some sort of cosmetic issue
inside Status–>Services.

This is what i got from the database that holds every syslog entry when filtering on sourceip, date and time.
Do notice that i have edited out the large part about rules+statistics at 05:20:21.

| Mar 10 05:19:13 dhclient: netstat |
| Mar 10 05:19:13 dhclient: EXPIRE |
| Mar 10 05:19:13 dhclient: Deleting old routes |
| Mar 10 05:19:13 dhclient: netstat |
| Mar 10 05:19:13 dhclient: PREINIT |
| Mar 10 05:19:13 dhclient: netstat |
| Mar 10 05:19:13 dhclient: ARPSEND |
| Mar 10 05:19:15 dhclient: netstat |
| Mar 10 05:19:15 dhclient: ARPCHECK |
| Mar 10 05:19:15 dhclient: netstat |
| Mar 10 05:19:15 dhclient: BOUND |
| Mar 10 05:19:15 dhclient: Starting add_new_address() |
| Mar 10 05:19:15 dhclient: ifconfig fxp0 inet 81.236.129.20 netmask 255.255.255.0 broadcast 81.236.129.255 |
| Mar 10 05:19:15 dhclient: New IP Address (fxp0): 81.236.129.20 |
| Mar 10 05:19:15 dhclient: New Subnet Mask (fxp0): 255.255.255.0 |
| Mar 10 05:19:15 dhclient: New Broadcast Address (fxp0): 81.236.129.255 |
| Mar 10 05:19:15 dhclient: New Routers (fxp0): 81.236.129.1 |
| Mar 10 05:19:15 dhclient: Adding new routes |
| Mar 10 05:19:15 dhclient: /sbin/route add default 81.236.129.1 |
| Mar 10 05:19:15 dhclient: Creating resolv.conf |
| Mar 10 05:19:15 dhclient: notify_rc_newwanip() |
| Mar 10 05:19:15 check_reload_status: rc.newwanip starting |
| Mar 10 05:19:16 php: : Informational: rc.newwanip is starting fxp0. |
| Mar 10 05:19:16 php: : rc.newwanip working with IP address 81.236.129.20 wan fxp0. |
| Mar 10 05:19:18 php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - 81.236.129.20. |
| Mar 10 05:19:18 php: : Creating rrd update script |
| Mar 10 05:19:20 php: : Resyncing configuration for all packages. |
| Mar 10 05:19:20 php: : Reloading Squid for configuration sync |
| Mar 10 05:19:21 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:19:21 php: : Beginning package installation for 0. |
| Mar 10 05:19:22 dnsmasq[520]: reading /etc/resolv.conf |
| Mar 10 05:19:22 dnsmasq[520]: using nameserver 195.67.199.41#53 |
| Mar 10 05:19:22 dnsmasq[520]: using nameserver 195.67.199.40#53 |
| Mar 10 05:19:22 dnsmasq[520]: using nameserver 195.67.199.39#53 |
| Mar 10 05:19:30 php: : Stopping any running proxy monitors |
| Mar 10 05:19:31 php: : Starting Squid |
| Mar 10 05:19:31 php: : Starting a proxy monitor script |
| Mar 10 05:19:31 squid[74469]: Squid Parent: child process 74472 started |
| Mar 10 05:19:31 squid[74469]: Squid Parent: child process 74472 started |
| Mar 10 05:19:31 php: : Reloading Squid for configuration sync |
| Mar 10 05:19:31 php: : Reloading Squid for configuration sync |
| Mar 10 05:19:34 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:19:34 php: : Beginning package installation for 0. |
| Mar 10 05:19:42 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:19:42 php: : Beginning package installation for 0. |
| Mar 10 05:19:49 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:19:49 php: : Beginning package installation for 0. |
| Mar 10 05:19:56 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:19:56 php: : Beginning package installation for 0. |
| Mar 10 05:20:00 check_reload_status: check_reload_status is starting |
| Mar 10 05:20:00 check_reload_status: rc.newwanip starting |
| Mar 10 05:20:03 php: : Informational: rc.newwanip is starting fxp0. |
| Mar 10 05:20:03 php: : rc.newwanip working with IP address 81.236.129.20 wan fxp0. |
| Mar 10 05:20:05 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:20:05 php: : Beginning package installation for 0. |
| Mar 10 05:20:05 php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - 81.236.129.20. |
| Mar 10 05:20:05 php: : Creating rrd update script |
| Mar 10 05:20:05 php: : Configuring slbd |
| Mar 10 05:20:05 check_reload_status: reloading filter |
| Mar 10 05:20:10 php: : Filter: FTP proxy disabled for interface LAN - ignoring. |
| Mar 10 05:20:13 php: : New alert found: The squid package is missing required dependencies and must be reinstalled. |
| Mar 10 05:20:13 php: : Beginning package installation for 0. |
| Mar 10 05:20:13 php: : [SNORT] Snort_dynamic_ip_reload.php is starting. |
| Mar 10 05:20:13 php: : Dynamic WAN interface present. Restarting snort due to filter changes. |
| Mar 10 05:20:13 snort[20763]: *** Caught Term-Signal |
| Mar 10 05:20:13 snort[20763]: *** Caught Term-Signal |
| Mar 10 05:20:13 snort[20763]: Final Flow Statistics |
| Mar 10 05:20:13 snort[20763]: Final Flow Statistics |
| Mar 10 05:20:13 snort[20763]: ,–--[ FLOWCACHE STATS ]–-------- |
| Mar 10 05:20:13 snort[20763]: ,–--[ FLOWCACHE STATS ]–-------- |
| Mar 10 05:20:13 snort[20763]: Memcap: 10485760 Overhead Bytes 16400 used(%99.999924)/blocks (10485752/58489) Overhead blocks: 1 Could Hold: (58579) |
| Mar 10 05:20:13 snort[20763]: Memcap: 10485760 Overhead Bytes 16400 used(%99.999924)/blocks (10485752/58489) Overhead blocks: 1 Could Hold: (58579) |
| Mar 10 05:20:21 snort[75063]: Var 'RULE_PATH' defined, value len = 26 chars |

Edited out alot of text

| Mar 10 05:20:21 snort[75063]: |
| Mar 10 05:20:34 SnortStartup[75156]: Ram free BEFORE starting Snort: 1239M – Ram free AFTER starting Snort: 1262M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 10 05:20:34 check_reload_status: updating dyndns |
| Mar 10 05:20:38 SnortStartup[75193]: Ram free BEFORE starting Snort: 1253M – Ram free AFTER starting Snort: 1278M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 10 05:21:03 dnsmasq[520]: reading /etc/resolv.conf |
| Mar 10 05:21:03 dnsmasq[520]: using nameserver 195.67.199.41#53 |
| Mar 10 05:21:03 dnsmasq[520]: using nameserver 195.67.199.40#53 |
| Mar 10 05:21:03 dnsmasq[520]: using nameserver 195.67.199.39#53 |
| Mar 10 05:23:20 snort2c[75090]: attack detected non-whitelisted ip: 222.127.54.68 blocked ! |

Veni

Update: The same thing again, but now this time i have 15 squid's inside Status–>Services ;D.
Looks like Squid will soon take over the pfSense computer.

New update: Now i have 22 squids inside Status–>Services, and i notice that the snort service has stopped,
but i have no problem of re-starting the service.
Looks like it's time to get a antivirus for Squid so that it stops to replicate it self ;D.

New update: Now i have 29 squids…. and something shut down snort...manual re-start of snart worked.

And i don't get it with the line "Mar 10 05:20:13 php: : Dynamic WAN interface present. Restarting snort due to filter changes".
What type of filter changes could that line refer to? I did not change anything inside the firewall section, nor squid or snort.

And squid and snort are working with each other, atleast to the point of shuting down and replicating.
Well it usally takes two to replicate ;D.

mhab12

It seems like this was an issue for some people when a couple of the snapshots came out. For me the fix was simple, just uninstall squid from the package GUI, reboot, reinstall squid from the package GUI, reboot and there should only be one instance.

Veni

Thanks for the tip, it did the truck :D.
I will keep my fingers crossed and hope to never see it again.

I was not far away from a nervous breakdown ;D.